Hello,
We are using the following port-security configuration on user access ports on Cisco 2960 switches, in order to protect the infrastructure to prevent MAC flooding attacks:
switchport port-security maximum 10
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
There is a problem with the more "quiet" hosts, especially in technology - every time the MAC address ages out, the first packets (an ARP request usually) sent by the host is dropped by the switch. There is no violation logged, the switch should be OK to forward the packets but doesn't:
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 1 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 10
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0011.aabb.ccdd:11
Security Violation Count : 0
When port-security is turned off, all packets are forwarded without trouble. This is happening on both WS-C2960-24TT-L and WS-C2960-8TC-L, with IOS 12.2(35)SE1 and 12.2(50)SE5, respectively. I didn't check other models yet.
I have found similar reports and bugs for the 2950 and 3750:
https://supportforums.cisco.com/thread/163910
https://supportforums.cisco.com/message/89560
https://tools.cisco.com/bugsearch/bug/CSCeg63177
https://tools.cisco.com/bugsearch/bug/CSCec21652
Is there anything we can do to fix this?
Is there an access switch that would not suffer from this problem? (Like 2960-S maybe?)
Thank you.